Advertising

Qian Zhang commented on MESOS-7853:
-----------------------------------
RR:
https://reviews.apache.org/r/61270/
> Support shared PID namespace.
> -----------------------------
>
> Key: MESOS-7853
> URL: https://issues.apache.org/jira/browse/MESOS-7853
> Project: Mesos
> Issue Type: Task
> Components: containerization
> Reporter: Gilbert Song
> Assignee: Qian Zhang
> Labels: containerizer, mesosphere, namespaces
>
> Currently, with the 'namespaces/pid' isolator enabled, each container will
> have its own pid namespace. This does not meet the need for some scenarios.
> For example, under the same executor container, one task wants to reach out
> to another task which need to share the same pid namespace.
> We should support container pid namespace to be configurable. Users can
> choose one container to share its parent's pid namespace or not.
> User facing API:
> {noformat}
> message LinuxInfo {
> ......
> // True if it shares the pid namepace with its parent. If the
> // container is a top level container, it means share the pid
> // namespace with the agent. If the container is a nested
> // container, it means share the pid namespce with its parent
> // container. This field will be ignored if 'namespaces/pid'
> // isolator is not enabled.
> optional bool share_pid_namespace = 4;
> }
> {noformat}
> A new agent flag:
> --disallow_top_level_pid_ns_sharing (defaults to be: false)
> this is a security concern from operator's perspective. While some of the
> nested containers share the pid namespace from their parents, the top level
> containers always not share the pid ns from the agent.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)